Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 3rd week of April 2016

Emerging Threat - Ghosts in the Endpoint

During a recent study titled 'Ghosts in the Endpoint', FireEye discovered multiple malicious samples that have gone undetected by anti-virus vendors. The malware they discovered included RATs, backdoors, scripts, and office documents exploiting known vulnerabilities. The malicious samples have been found to use alternate techniques, such as embedding objects within MS Office documents and multi-layer packing to bypass anti-virus engines. Attackers are also using previously known exploits but are able to disguise their malicious scripts or backdoors by changing the delivery method and/or leveraging obfuscation, encoding, encryption, or multiple layers of packing.

We have added new IDS signatures and correlation rules to detect this activity:

System Compromise, Targeted Malware, APT Chinema

System Compromise, Trojan infection, OccultAgent

System Compromise, Trojan infection, OfficeDownloader

New Detection Technique - CryptXXX Ransomware

CryptXXX is a newly discovered ransomware that spreads through the Angler Exploit Kit and infects machines with the Bedep Trojan. It then drops information stealers on the infected machines, and appends a .crypt extension to the filenames of the encrypted files. CryptXXX encrypts files on the local machine and on all mounted drives, and is currently asking a relatively high price ($500 per computer) to unlock encrypted files. CryptXXX is also known to be stealing Bitcoins.

We added new IDS signatures and a correlation rule to detect CryptXXX activity:

System Compromise, Ransomware infection, CryptXXX

In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known ransomware families:

System Compromise, Ransomware infection, Poshcoder

System Compromise, Ransomware infection, Torrentlocker

New Detection Technique - MultiGrain PoS

A new variant of the NewPoSThings point of sale (PoS) malware family, called MultiGrain PoS, has recently been discovered by FireEye. This variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. DNS-based exfiltration is new to this variant of the malware family. MultiGrain PoS has been specifically engineered to target a certain PoS process associated with popular back-end card authorization.

We have added new IDS signatures and a correlation rule to detect MultiGrainPOS activity:

System Compromise, Trojan infection, MultiGrainPOS

New Detection Technique - PWObot

PWObot, a new malware family, was recently discovered by Palo Alto Networks. Written entirely in Python, PWObot has been seen in targeted attacks against European-based organizations, specifically in Poland. It has the ability download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine digital currency.

We added new IDS signatures and a correlation rule to detect PWObot activity:

System Compromise, Trojan infection, Pwobot

New Detection Technique - Policy violation

The following correlation rules have been added to alert on activity violating corporate policy:

Environmental Awareness, Attack Tool, Netcat

Environmental Awareness, Desktop Software - Video, Windows Quicktime

Updated Detection Technique - Exploit Kits

Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity.

System Compromise, Malware RAT, Poison Ivy

System Compromise, Malware RAT, njRAT

Updated Detection Technique - Tor Onion Proxy

Tor is an open network that enables anonymity and allows users to surf the Internet anonymously. Tor also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services. There are some websites that allow access to Tor hidden services through the Internet without being inside the Tor network. We have created a new correlation rule that will detect when a system is accessing one of these services. Many ransomware schemes use these services to receive payments and conduct other malicious activities.

Environmental Awareness, Anonymous channel, Tor Onion Proxy

Updated Detection Technique - Malware SSL Certificates

We have added new Intrusion Detection System signatures to include the list of certificates identified by Abuse.ch to be associated with malware of botnet activities. The new correlation rules use this information to detect C&C communications related to several malware families including:

System Compromise, C&C Communication, Known malicious SSL certificate

System Compromise, C&C Communication, Tinba SSL activity

Updated Correlation Rules

The following correlation rules have been updated due to recent malicious activity: